http://www.digitaljournal.com/tech-and-science/technology/how-veteran-s-affairs-came-to-be-hit-by-data-breach/article/578142

How Veteran's affairs came to be hit by data breach Special

Posted Sep 17, 2020 by Tim Sandle
A security breach breach related to the Department of Veteran's Affairs has taken place. How did this type of attack reach the heart of government and what are the implications. Two experts weigh in.
Cloud computing allows firms to cut costs and hassle by having outside firms host their data and pro...
Cloud computing allows firms to cut costs and hassle by having outside firms host their data and provide processing power for certain applications
Odd ANDERSEN, AFP/File
With the incident, social engineering techniques put 46,000 veterans at risk of being fraud victims. The VA said malicious actors used “social engineering techniques” and exploited “authentication protocols” to gain access to the system.
Peter Martini, president and co-founder of cloud cybersecurity company iboss, tells Digital Journal that the type of attack is becoming commonplace: "These types of social engineering attacks are becoming far more common. This threat, where attackers tricked employees into breaching security procedures, is especially dangerous in remote workplaces." This is in the context of remote working being more common in the coronavirus era.
In terms of what can be learnt from this form of attack against a public agency, Martini adds: "Organizations must leverage modern systems with security in the cloud that follows the employee no matter where they are and also implement newer security approaches that would prevent a bad actor from gaining access in the first place."
Looking at the matter from a slightly different perspective, Robert Prigge, CEO of Jumio considers the use of personally identifiable information: "Cybercriminals can use the exposed Personally Identifiable Information (PII) to access user accounts or combine it with other readily available information on the dark web to change passwords, lock users out and steal their benefits."
He also considers how traditional methods of driving cybersecurity allowed the incident to happen, noting that: "Enterprises have no way of knowing whether the person logging in is the actual account owner or a fraudster using stolen information to access the account." However, each organization has a responsibility to protect personal data.
He also has advice for the state sector, explaining: "Government agencies must adapt to the modern fraud landscape to keep citizens safe. Implementing biometric authentication is far more secure, as it cannot be bypassed through credential stuffing or social engineering techniques."